- Oauth2.0 最早接触这个概念是在做微信订阅号开发。当时还被深深的绕进去,关于oauth2.0的解释网上有好多,而且都讲解的比较详细,下面给大家价格参考资料。.
- Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Posted 4/15/16 4:52 AM, 15 messages. I have searched over the web and could not find a solution to my problem. I am implementing OAuth in my app. I am using ASP.NET Web API 2, and Owin. The scenario is this, once a user request to the.
OWIN Security-How to Implement OAuth2 Refresh Tokens (3)
I am using the Web Api 2 template that comes with Visual Studio 2013 has some OWIN middleware to do User Authentication and the likes of.
In the OAuthAuthorizationServerOptions
I noticed that the OAuth2 Server is setup to hand out tokens that expire in 14 days
This is not suitable for my latest project. I would like to hand out short lived bearer_tokens that can be refreshed using a refresh_token
I have done lots of googling and can't find anything helpful.
So this is how far I have managed to get. I have now reached the point of 'WTF do I now'.
I have written a RefreshTokenProvider
that implements IAuthenticationTokenProvider
as per the RefreshTokenProvider
property on OAuthAuthorizationServerOptions
class:
So now when someone requests a bearer_token
I am now sending a refresh_token
, which is great.
So now how do I uses this refresh_token to get a new bearer_token
, presumably I need to send a request to my token endpoint with some specific HTTP Headers set?
Authenticationtokencreatecontext Settoken
Just thinking out loud as I type... Should I handle refresh_token expiration in my SimpleRefreshTokenProvider
? How would a client obtain a new refresh_token
?
I could really do with some reading material / documentation because I don't want to get this wrong and would like to follow some sort of standard.
Authenticationtokencreatecontext Serializeticket
Freddy's answer helped me a lot to get this working. For the sake of completeness here's how you could implement hashing of the token:
In CreateAsync
:
ReceiveAsync
:
之前写过2篇关于refresh token的生成与持久化的博文:1)Web API与OAuth:既生access token,何生refresh token;2)ASP.NET OWIN OAuth:refresh token的持久化。
之后我们在CNBlogsRefreshTokenProvider中这样实现了refresh token的生成与持久化:
后来发现一个问题(这是遇到的第1个问题),在用户不登录的情况下,以client credentials grant方式获取access token时,也会生成refresh token并且保存至数据库。而refresh token是为了解决以resource owner password credentials grant方式获取access token时多次输入用户名与密码的麻烦。所以,对于client credentials grant的场景,生成refresh token完全没有必要。
于是,就得想办法避免这种refresh token生不逢时的情况。后来,找到了解决方法,很简单,只需在CreateAsync的重载方法的开头加上如下的代码:
遇到的第2个问题是,Client多次以resource owner password credentials grant的方式获取refresh token,会生成多个refresh token,并且会在数据库中保存多条记录。
通常情况的操作是,Client以resource owner password credentials grant的方式获取refresh token,并之将保存。需要更新access token时就用这个refresh token去更新,更新的同时会生成新的refresh token,并且将原先的refresh token删除。对应的实现代码如下:
但是当Client多次获取多个refresh token时,只有那个用于刷新access token的refresh token会被删除,其他的refresh token会成为无人问津的垃圾留在数据库中。为了爱护环境,不乱扔垃圾,我们得解决这个问题。
解决的思路是在生成新的refresh token并将之保存至数据库之前,将对应于这个用户(resource owner)及这个client的所有refresh token删除。删除所依据的条件是ClientId与UserId,由于之前持久化refresh token时只保存了UserName,没有保存UserId,所以要给RefreshToken增加UserId属性。然后给Application层的IRefreshTokenService接口增加删除方法:
(该方法的实现省略)
接着在CNBlogsRefreshTokenProvider中保存refresh token之前,调用这个方法:
这样就解决了第2个问题。
Comments are closed.